10 July 2015 – (hospitalitybusinessnews.com) Earlier this year, Mandarin Oriental discovered a malware attack on our credit card systems in a number of our hotels listed below. In response, we issued a public statement on our website to alert guests to the attack so they could take proactive measures to monitor their credit card activity. We also immediately engaged law enforcement, cyber-forensic specialists, and appropriate credit card companies to coordinate investigation efforts and to take further steps to assist our guests. After a thorough investigation, we now know more about the incident and are notifying affected guests. We have established a call center that is prepared to address any questions our guests may have about the breach. We regret that this incident occurred and are sorry for any inconvenience it may cause. We take the safety and security of our guests and their personal information very seriously, and the trust our guests place in us remains an absolute priority.
From our investigation, it appears that a hacker used malware to obtain access to certain credit card systems in a number of Mandarin Oriental hotels. We believe this hacker may have used the malware to acquire the names and credit card numbers of guests who used a credit card for dining, beverage, spa, guest rooms, or other products and services at the following Mandarin Oriental properties during these time periods; we have not, however, found any evidence of acquisition or misuse of credit card pin numbers or security codes, or any other personal guest data:
– Mandarin Oriental, Boston between June 18, 2014 and March 12, 2015
– Mandarin Oriental, Geneva between June 18, 2014 and March 3, 2015
– Mandarin Oriental, Hong Kong between June 18, 2014 and February 10, 2015
– Mandarin Oriental Hyde Park, London between June 18, 2014 and March 5, 2015
– Mandarin Oriental, Las Vegas between June 18, 2014 and October 16, 2014
– Mandarin Oriental, Miami between June 18, 2014 and March 3, 2015
– Mandarin Oriental, New York between June 18, 2014 and January 18, 2015
– Mandarin Oriental, San Francisco between June 18, 2014 and February 14, 2015
– Mandarin Oriental, Washington DC between June 18, 2014 and January 20, 2015
– The Landmark Mandarin Oriental, Hong Kong between June 18, 2014 and February 3, 2015
Since we were first alerted to this attack, we have been investigating this incident across multiple countries and properties, and working in coordination with law enforcement and the credit card companies. We have timed this notice to avoid disrupting or impeding their concurrent investigations. We have also taken comprehensive steps to ensure that the malware has been removed and that the hacker is no longer in our systems.
In some instances, a credit card company may have already replaced the potentially affected credit card if it determined that the guest was at risk. We encourage potentially affected guests to remain vigilant for instances of fraud and identity theft, and to regularly review and monitor relevant account statements and credit reports to ensure the information contained in them is accurate. If any unauthorized charges on credit or debit card(s) are detected, guests should contact their card issuer. If anything is seen that is incorrect on credit reports, guests should contact the credit reporting agency. Suspected incidents of identity theft should be reported to local law enforcement. Even if no signs of fraud are found on reports or account statements, security experts suggest that credit reports and account statements should be checked periodically.